Insert OIDC IDP into existing SP SAML connection

Question

Currently I have an SP that relies on a SAML identity provider. It also supports users logging in directly to the SP. User can login directly or user can start at SP and be redirected to SAML identity provider for authentication.

I am planning on converting the SP to use OIDC and IdSrv4 and not having SP managed credentials at all. I'd like to still support the SAML provider, but ideally thru the new OIDC IdP. What is the proper way to add this new OIDC IdP into the SAML flow? Do I:

1. Have SP and SAML communicate and then pass on SAML response to IdP to translate (this does not seem correct and open to abuse)
2. Have SP redirect to OIDC IdP with some context to know to go to SAML. Then OIDC IdP handles the SAML response and goes thru regular OIDC flows to SP.
   1. What is best practice to tell IdP to use (redirect to) a certain SAML IdP in certain contexts and prompting for OIDC IdP creds in other contexts?
3. Keep SP using SAML IdP and also have it use OIDC IdP?
4. Something else?

Answer 1

Question 1:

Have SP and SAML communicate and then pass on SAML response to IdP to translate (this does not seem correct and open to abuse)

Answer:

OIDC and SAML are two different identity federation protocols that allow third-party identity provider to provide authentication service for a rely-party web application.

SAML SP can only send SAML auth request to SAML IdP (Identity Provider), because OIDC IdP can NOT decode SAML auth request.

Question 2: Have SP redirect to OIDC IdP with some context to know to go to SAML. Then OIDC IdP handles the SAML response and goes thru regular OIDC flows to SP.

What is best practice to tell IdP to use (redirect to) a certain SAML IdP in certain contexts and prompting for OIDC IdP creds in other contexts?

Answer:

OIDC IdP can NOT decode SAML auth request, because OIDC and SAML are two different protocols.

Question 3: Keep SP using SAML IdP and also have it use OIDC IdP?

Answer:

Yes. You can Keep SP using SAML IdP, and also deploy OIDC RP (Relying Party) to use OIDC IdP.

(1) An identity provider can can be equipped with OIDC IdP (Identity Provider) and SAML IdP to support both OIDC and SAML protocols.

For example, We have developed Zero-Password Authentication and Authorization System as an identity provider to support SAML, OIDC, OAuth, and WS-Fed, that is, Zero-Password Authentication and Authorization System can provide identity authentication/federation for any web application that is equipped with either SAML SP, OIDC RP, OAuth RP, or WS-Fed RP.

(2) A relying-party web application can be equipped with OIDC RP (Relying Party) and SAML SP (Service Provider) to support both OIDC and SAML protocols.

For example, as a a relying-party web application, Openstack can be configure as either SAML SP or OIDC RP to commnunicate with SAML IdP or OIDC IdP respectively.

The official Openstack link Configuring Keystone for Federation provides the instruction on how to configure Openstack as SAML SP or OIDC RP.

Question 4:

Something else?

Resolution:

You web application login page can provide two buttons for OIDC login and SAML login respectively.

(1) Click OIDC login button to redirect a user to OIDC API of your identity provider.

OIDC API of your identity provider will request the user to submit their authentication credential such as username/password.

Once the user has been authenticated, the user will be redirected back to OIDC API of your web application.

Finally the user will be logged in to your web application.

(2) Click SAML login button to redirect a user to SAML API of your identity provider.

SAML API of your identity provider will request the user to submit their authentication credential such as username/password.

Once the user has been authenticated, the user will be redirected back to SAML API of your web application.

Finally the user will be logged in to your web application.

Follow-up Question:

What I am trying to do is make the OIDC IdP an SP to the SAML provider, so that all of my OIDC RPs don't also have to be SAML SPs. Is there common way of handling that?

I am trying not to have my client applications (RPs) rely on SAML. But if the IdP can make a SAML request, based on that authn response, it seems that the OIDC could then provide an OIDC authn response.

Answer:

(1) Implementing SAML SP feature of OIDC IdP (i.e., making the OIDC IdP as an SAML SP to the SAML IdP) is a cost-expensive solution.

(I) OIDC IdP sends SAML auth request to SAML IdP

(II) OIDC IdP decodes SAML response from SAML IdP

(III) OIDC IdP converts SAML assertion to OIDC token (i.e., converts SAML response into OIDC response which can be decoded by OIDC RP)

RFC 7521 Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants and RFC 7522 Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants support SAML 2 bearer profile with authorization grant flow.

Microfocus provides the instruction on Exchange SAML 2 Assertion with OAuth Access Token.

WSO2 also provides the instruction on Exchanging SAML2 Bearer Tokens with OAuth2 - SAML Extension Grant Type.

(2) A cost-effective solution is

(I) A web server hosts both OIDC IdP and SAML IdP, and then leverage HAProxy to configure OIDC IdP and SAML IdP to use subdomain, e.g., oidcidp.your-domain.com and samlidp.yourdomain.com

OIDC IdP and SAML IdP can use the same data store or data repository such as OpenLDAP to authenticate username/password credential.

(II) OIDC RP communicates with OIDC IdP and SAML SP communicates with SAML IdP.

(3) Another cost-effective solution is described by resolution to Question 4.

Your identity provider implements both OIDC IdP API and **SAML IdP API" to communicate with OIDC RP and SAML SP respectively.